I come to you from Stack Overflow in peace. My expertise is in development and I understand basic networking only, so please keep things in laymen terms. With that said, I'm going to hire a developer to remote into my home server and do development. There are several reasons why I want the developer to work on my machine remotely rather than on theirs, but I'll pass on those details for now.

Here's what I have so far:

Windows Server 2008 R2 behind a Linksys router.

ClamWin Free Anti-virus running on the server.

Most default Windows settings: firewall on, uac, etc.

Opened up two ports (1723 & 500) on my router and setup a VPN host on the server (never set one up before but it seems to work fine).

DynDNS service/client to keep my dynamic IP static.

Server has RDP access from inside the network only.

VMWare Server installed on the host server; Windows XP Pro VM created to develop on w/admin privileges and RDP access is on from inside the network.

So basically my idea for the hired developer is:

VPN into the network.

RDP to remote into the virtual machine.

How does this setup sound? I'm sure there is more configuration that needs to be done to the VM itself because I want to keep it isolated from the rest of the network. Any tips or pointers would be very helpful.

Questions on Server Fault are expected to relate to server, networking, or related infrastructure administration within the scope defined by the community. Consider editing the question or leaving comments for improvement if you believe the question can be reworded to fit within the scope. Read more about reopening questions here.
If this question can be reworded to fit the rules in the help center, please edit the question.

4 Answers
4

In a somewhat relevant question here it seemed to be agreed that we don't have any compelling reason to be worried about the host being overly vulnerable from its guests.

One step that would be nice (if possible, though it seems unlikely) is if your developer can do his work on the VM isolated from the LAN. Afterward, you could change networking properties on the VM to connect to the LAN to check in code or whatnot.

It sounds like you have the bases covered. There are only a few things that I'd point out:

Decide whether or not to use PPTP or IPSEC for the VPN, but not both. Whichever you choose, close the other port (1723 or 500).

Understand that your server (and internal network) are pretty safe from unknown attackers with your setup, but by letting the developer in you're giving him or her carte blanche. Do you trust this person? Will there be any kind of NDA, waiver, no harm clause, etc., etc.?

I won't know this person (hasn't been hired just yet). That's why I decided on the virtual environment setup. Can I restrict this vm so it cannot affect my network in any way?
–
BeavisSep 2 '09 at 20:09

Oh, and I totally lost ya on the PPTP/IPSEC stuff. Is that by any chance related to the IPv4, which I have checked off in the VPN settings? If it's not I wouldn't know where to find it.
–
BeavisSep 2 '09 at 20:11

I think he was suggesting that you only open one port on the router, rather than two. You'll only need the one that applies to the VPN method your developer ends up using (PPTP or IPSEC).
–
Kara MarfiaSep 2 '09 at 20:17

Sorry. I should have been more clear. Your original post suggested that you had multiple VPN connection methods enabled (port 1723 for PPTP and port 500 for IPSEC) and I was suggesting that you pick one or the other but not both methods. Whichever you choose, disable the other one to reduce the attack surface.
–
joeqwertySep 2 '09 at 20:37

If the user is running with access to anything inside your network there's going to be a security risk.

I don't know how you're planning on setting up with the developer, but you're evidently planning on requiring VPN access of some sort...will this be set up with them ahead of time, will they need special software, or...?

One thing we've had used is just straight RDP from the Internet to a system. It would just require a port open and is already encrypted. Might make configuration easier for you and your new unknown hire.

What I would try doing is see if you can get (or have) a router that supports creating a DMZ. That means you would have essentially one lan with addresses of, for example, 192.168.1.x, then another network of 192.168.254.x, and you can keep your system(s) in the 192.168.254.x side and your developer can work on machines in 192.168.1.x. The two networks could be kept totally separate, and his system he's on would never see traffic from your systems and vice-versa, isolating him a bit more. That would be more secure than most other hoops I could suggest.

I've seen some routers coming out that support this sort of feature but it could get complicated to rig it up with something like a Linux router (plus you'd need a cheap machine with three network cards if you don't have something like this already). A bootable distro like Smoothwall may already support features like this.

The best security without putting too much inconvenience on your consultant hire in my opinion would be isolation of networks, maybe adding a Linux system (or something like smoothwall) to handle some routing so things can be monitored.

I actually had the straight RDP going on and then decided to up the difficulty for my network-challenged-self :) I will have development tools all ready for them to run. It really seems like the main concern is once their connected to the VM, how do I prevent their access to the network? Well, my network is pretty small: 1 pc and 1 mac. My PC is password protected and I guess I could not show it to the rest of the network...anything else?
–
BeavisSep 2 '09 at 20:50

The only way to really try to "secure" it is to separate the networks at the router, kind of like create a VLAN for your work space. I don't know why you're having the developer into your network; from what you outlined of your needs you could just ship him a VM to run on his own system in VMWare with everything preconfigured, but you may have your reasons for what you're doing. With the "intruder" inside your network it's not out of the question for them to use an ARP attack to sniff your network traffic. Includes your web browsing and email. Depends on your needs and level of risk.
–
Bart SilverstrimSep 2 '09 at 22:55